How to split certain events to 2 different indexer...

tlow · ‎07-09-2014

Hi, want to split out certain eventid to 2 different indexers from a universal forwarder 6.1
could this work?
tried to create on 2 separated apps but it only took on the first one.

[WinEventLog://Security]
disabled=0
whitelist= Category="^Error"
index = Awindows

[WinEventLog://Security]
disabled=0
whitelist= Category="^Info"
index = Bwindows

want to see if i can control on the client side, and not on the indexer

martin_mueller · ‎07-09-2014

That approach doesn't work because you're essentially overwriting the same value from the second stanza - it has the same name so it's the same stanza.

You can rewrite the index value in transforms.conf:

[send_to_A_index]
REGEX = Category="Error"
DEST_KEY = _MetaData:Index
FORMAT = Awindows

[send_to_B_index]
REGEX = Category="Info"
DEST_KEY = _MetaData:Index
FORMAT = Bwindows

Then refer to those stanzas in props.conf:

[sourcetype, source, or host identifier]
TRANSFORMS-index = send_to_A_index,send_to_B_index

Usually these are on the indexer(s), and in most cases it's best to keep it that way. However, it's possible to use a heavy forwarder on the source host to have the HF do the parsing, filtering, etc.

How to split certain events to 2 different indexers from a 6.1 universal forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation